zScaler VPN connections report regular "internal error" when SEP for Mac firewall is enabled
search cancel

zScaler VPN connections report regular "internal error" when SEP for Mac firewall is enabled

book

Article ID: 187967

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

zScaler VPN connections report regular "internal error" when SEP for Mac firewall is enabled—even when firewall is set to allow all network traffic. 

zScaler typically displays "Internal Error" every few minutes with a "Retry" button.

Environment

Component : SEP for Mac

Release : all versions up to 14.3

Cause

Under investigation.

Resolution

If you are troubleshooting SEP for Mac firewall rules, an "Allow All" rule at the top the settings might not work at first. Try instead to use an "Allow All" rule that explicitly allows a range of remote IP addresses, IPv4 0.0.0.1 thru 255.255.255.255 and IPv6 0000:0000:0000:0000:0000:0000:0000:0000 thru FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

If this works, then consult your VPN documentation for the exact ports and network ranges used, and refine your "Allow VPN" rule.

Examine output of "ifconfig" command line on a Mac client, and look for "utun" interfaces which are used by VPN software. For example:

...
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
 inet ##.##.0.1 --> ##.##.0.1 netmask 0x########
...

Allowing remote IP range ##.##.0.1–##.##.255.254 for the example above would allow the remote IPs used by VPN on this interface.

Consult your zScaler configuration and support pages for specific ports used by the software and add those ports to the rule to make it more selective.

Powered by Wolken Software